Security and privacy in public WLAN networks

Security and privacy in public WLAN networks Savio Lau saviol@cs.sfu.ca March 01, 2005

Roadmap Introduction of public WLAN networks Network security User privacy Experiments and analysis Conclusion March 1, 2005 Security and privacy in public WLAN networks 2

Public WLAN networks Refers to pay and non-pay networks that allows public to access limited services such as the Internet: wireless access from coffee shops, Internet cafes cellular companies operated networks: FatPort, T-mobile campus networks: SFU, UBC March 1, 2005 Security and privacy in public WLAN networks 3

d i g i t a l HS1 HS2 OK1 OK2 PS 1 2 3 4 5 6 7 8 9 101 112 COL- ACT- STA- CO NSO LE CISCOSYSTEMS C A 7 8 9 101112 123456 7x 1x 8x 2x 9x 3x A 10x 4x 11x 5x 12x 6x 7x 1x 8x 2x 9x 3x B 10x 4x 11x 5x 12x 6x Layout of public WLAN networks Authentication server Network access management device (monitoring, firewall, redirection) Access provider network Internet Ethernet Wireless-enabled laptops Workstations March 1, 2005 Security and privacy in public WLAN networks 4

Layout of public WLAN networks 802.11a/b/g air link: user WLAN devices access provider WLAN routers Access provider network: firewall intrusion detection system authentication services Internet March 1, 2005 Security and privacy in public WLAN networks 5

Difference between switched and wireless networks Switched networks prevents data snooping through neighboring ports: redirection attacks through ARP cache poisoning and other means is possible, but easily detectable WLAN is by design a broadcast network: signals can be received by multiple hosts within an area March 1, 2005 Security and privacy in public WLAN networks 6

Roadmap Introduction of public WLAN networks Network security User privacy Experiments and analysis Conclusion March 1, 2005 Security and privacy in public WLAN networks 7

Network security Access providers establish network security for the following reasons: metered access to services and accounting protection of their own network from malicious attacks prevention of viruses and worms from infecting their own network prevention of unauthorized access to non-public services March 1, 2005 Security and privacy in public WLAN networks 8

Network security Network providers achieve network security through the following methods: authentication for granting access firewalls for limiting access to non-public services rule-based monitoring of traffic for attacks, viruses, and worms automatic preventive actions if malicious traffic is suspected March 1, 2005 Security and privacy in public WLAN networks 9

Example network: SFU Employs a Vernier Networks product for access control: endpoint screening network access restriction traffic inspection remediation policy enforcement March 1, 2005 Security and privacy in public WLAN networks 10

Roadmap Introduction of public WLAN networks Network security User privacy Experiments and analysis Conclusion March 1, 2005 Security and privacy in public WLAN networks 11

User privacy User privacy includes: controlled access to users assets and data safety of user traffic from eavesdropping safety from malicious attacks safety from viruses and worms March 1, 2005 Security and privacy in public WLAN networks 12

Achieving user privacy Access control can be achieved through the use of password-based sharing and firewalls Safety from attacks, viruses, and worms can be achieved through up-to-date anti-virus products and firewalls March 1, 2005 Security and privacy in public WLAN networks 13

Network security vs. user privacy Goals of network operators and users are not necessary identical Networks that are secure from providers perspective may not guard users privacy Network providers task is to prevent malicious traffic from entering network How secure is network traffic over WLAN interfaces? March 1, 2005 Security and privacy in public WLAN networks 14

Roadmap Introduction of public WLAN networks Network security User privacy Experiments and analysis Conclusion March 1, 2005 Security and privacy in public WLAN networks 15

User privacy experiment Experiment was performed on SFU s campus network Two laptops and a WLAN-enabled PDA were used One laptop was set to monitor/promiscuous mode to capture traffic from the PDA and the second laptop: Ethereal under Linux was used to capture traffic only traffic from the two laptops and the PDA were captured for privacy reasons March 1, 2005 Security and privacy in public WLAN networks 16

User privacy experiment The PDA and the second laptop attempt to access the following services: Yahoo and Excite email services with newly created accounts ICQ internet messaging POP3 email retrieval SMTP email transfer March 1, 2005 Security and privacy in public WLAN networks 17

Ethereal captures from PDA: Yahoo mail March 1, 2005 Security and privacy in public WLAN networks 18

Ethereal captures from PDA: Yahoo mail POST /config/login_verify2?9g733e3pghsok HTTP/1.1 Host: login.yahoo.com User-Agent: Mozilla/4.08 (PDA; PalmOS/sony/model luke/revision:2.0.22 (en)) NetFront/3.1 Referer: http://login.yahoo.com/config/exit?&.src=ym&.lg=ca&.intl=ca&.done =http%3a%2f%2flogin.yahoo.com%2fconfig%2fmail%3f.intl%3dca %26.lg%3dca.tries=&.done=http%3A%2F%2Flogin.yahoo.com%2Fconfig%2Fmail%3 F.intl%3Dca%26.lg%3Dca&.src=ym&.slogin=wlangap&.partner=&.in tl=ca&.fupdate=&passwd=veryvulnerable&login=sign+in March 1, 2005 Security and privacy in public WLAN networks 19

Ethereal captures from 2 nd laptop: NetBIOS (NBNS) March 1, 2005 Security and privacy in public WLAN networks 20

Ethereal captures from 2 nd laptop: ICQ March 1, 2005 Security and privacy in public WLAN networks 21

Ethereal captures from 2 nd laptop: Yahoo mail GET /config/login?.tries=1&.src=www&.md5=&.hash=&.js=1&.last=&pro mo=&.intl=us&.bypass=&.partner=&.u=1spon6t127e88&.v=0&.chall enge=9gmkeigtjaahgmqntlt_rmp2kfnw&.yplus=&.emailcode=&p kg=&stepid=&.ev=&hasmsgr=0&.chkp=y&.done=http%3a//www.ya hoo.com&login=wlangap&passwd=d161f26c355df6ae13ba0ff8f82d4f 0a&.persistent=&.save=1&.hash=1&.md5=1 HTTP/1.1 Host: login.yahoo.com The password is protected with an md5 hash March 1, 2005 Security and privacy in public WLAN networks 22

Ethereal captures from 2 nd laptop: Excite mail POST /excitereg/login_process.jsp HTTP/1.1 Host: registration.excite.com Referer: http://registration.excite.com/excitereg/login.jsp snonce=fmx0euffsgeh1oedvsbmaw%3d%3d&stime=4223b948&times kew=13&crep=oeshuhthqr9nmg%3d%3d&jerror=none&memberna me=wlangap&password=xxxxxxx&gofer=sign+in%21&perm=0 HTTP/1.1 302 Found Date: Tue, 01 Mar 2005 00:37:49 GMT Server: Apache/1.3.29 (Unix) Resin/2.0.5 mod_ssl/2.8.16 OpenSSL/0.9.7c Password is encrypted: note that it shows the password is 7-letters long March 1, 2005 Security and privacy in public WLAN networks 23

Ethereal captures from 2 nd laptop: POP3 mail +OK Qpopper (version 4.0.5) at rm-rstar.sfu.ca starting. X-LOCALTIME Mon, 28 Feb 2005 17:31:05-0800 IMPLEMENTATION Qpopper-version-4.0.5 USER somebody (name replaced) +OK Password required for somebody. PASS abcdef (visible password replaced) +OK somebody has 583 visible messages (0 hidden) in 27739618 octets. March 1, 2005 Security and privacy in public WLAN networks 24

Ethereal captures from 2 nd laptop: SMTP mail 220 rm-rstar.sfu.ca ESMTP Sendmail 8.12.10/8.12.5/SFU-5.0H; Mon, 28 Feb 2005 17:32:16-0800 (PST) MAIL FROM:<somebody@sfu.ca> SIZE=374 (name replaced with somebody) Message-ID: <4223C632.6050605@sfu.ca> Date: Mon, 28 Feb 2005 17:32:34-0800 From: Somebody <somebody@sfu.ca> User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: somebody@sfu.ca Subject: smtptest Content-Type: text/plain; charset=iso-8859-1; format=flowed Content-Transfer-Encoding: 7bit testing smtp messages 250 2.0.0 j211wgck006855 Message accepted for delivery QUIT 221 2.0.0 rm-rstar.sfu.ca closing connection March 1, 2005 Security and privacy in public WLAN networks 25

Experimental results User privacy is not preserved because traffic is not encrypted Email services such as Yahoo and Excite encrypt passwords but received email contents and sent email messages are in plain text Captured user s data and passwords appear as plain text if simple browsers are used: Netfront 3.1 for PalmOS March 1, 2005 Security and privacy in public WLAN networks 26

Experimental results Instant Messaging (IM) messages such as MSN or ICQ are captured in plain text POP3 and SMTP messages are sent in plain text by default: SSL and TLS options are available but are hidden from view access providers do not always provide encrypted email transfers March 1, 2005 Security and privacy in public WLAN networks 27

Experimental results Windows NetBIOS services automatically broadcast workgroup and ID to network: windows shared folders could be accessed by others in the network March 1, 2005 Security and privacy in public WLAN networks 28

Vulnerability prevention Is WLAN traffic encryption possible? Only if access providers choose to provide it: may require newer equipment difficulty in setup results in increased support calls degradation of WLAN performance Not the access provider s problem: We strongly recommend that our customers be aware of the security concerns of wireless networking and ensure the security of their Internet connections It is your responsibility to adopt security measures which are best suited to your situation. March 1, 2005 Security and privacy in public WLAN networks 29

Vulnerability prevention Is WLAN traffic encryption possible? WEP is supported by all 802.11 devices: anyone with the WEP key can decode traffic: WEP usage is not useful in public networks WEP is also vulnerable to cryptography attacks [2] WPA uses temporal keys: not all 802.11 devices support this encryption type [2] S. Fluhrer, I. Mantin, and A. Shamir, Weakness in the key scheduling algorithm in RC4, Lecture Notes in Computer Science, vol. 2259, pp. 1-24, 2001. March 1, 2005 Security and privacy in public WLAN networks 30

Vulnerability prevention End-to-end encryption protocols prevent data shown in plain text: HTTP or HTTPS with SSL POP3 and SMTP with SSL/TLS encrypted terminal access using SSH VNC using cryptographic APIs virtual private networks (VPN) March 1, 2005 Security and privacy in public WLAN networks 31

Network security Testing network security requires both providers and users consent We analyzed Vernier Network s white paper for deployment setup Focus of our analysis was to examine if the SFU network is secure March 1, 2005 Security and privacy in public WLAN networks 32

Evil twin attacks Evil twin is a rogue access point using identical Service Set Identifier (SSID) as the WLAN provider [3] If the provider network such as SFU employs authentication, a redirection server using an identical login page could be used in an attack: poses as the access provider s authentication sequence login page captures the access provider s user logins and other logins and passwords [3] C. Klaus, Wireless LAN Security FAQ, Internet Security Systems, Oct 6th, 2002 [Online]. Available: http://www.iss.net/wireless/wlan_faq.php. March 1, 2005 Security and privacy in public WLAN networks 33

Evil twin attacks Aside from security audits, no known detection method for evil twin exists Users may be able to detect rogue access points after login by examining the IP address given by the access point Users cannot detect rogue access points prior to access: security professionals at the RSA security conference in Feb, 2005 had their logins compromised [5] [5] Press Release AirDefense Monitors Wireless Airwaves at RSA 2005 Conference, Feb 17th, 2005 [Online]. Available: http://airdefense.net/newsandpress/02_07_05.shtm. March 1, 2005 Security and privacy in public WLAN networks 34

Evil twin attacks From access provider perspective: Evil twin attacks compromise user credentials may compromise network security if other services are provided besides Internet access thanks to monitoring, attackers may be unable to use the network for malicious means or to spread viruses and worms March 1, 2005 Security and privacy in public WLAN networks 35

Conclusion Public WLAN networks may be convenient to use but are insecure from a user s perspective Privacy concerns may be partially mitigated by using encrypted protocols Future WLAN protocols may provide required level of user privacy March 1, 2005 Security and privacy in public WLAN networks 36

References [1] Vernier Networks, Network access management: stopping intruders and worms before they get on the network (white paper) [Online]. Available: http://www.verniernetworks.com/library/pdfs/wp_stopping_intruders_and_worms.pdf. [2] S. Fluhrer, I. Mantin, and A. Shamir, Weakness in the key scheduling algorithm in RC4, Lecture Notes in Computer Science, vol. 2259, pp. 1-24, 2001. [3] C. Klaus, Wireless LAN Security FAQ, Internet Security Systems, Oct. 6 th, 2002 [Online]. Available: http://www.iss.net/wireless/wlan_faq.php. [4] Ethereal [Online]. Available: http://www.ethereal.com. [5] AirDefense AirDefense Monitors Wireless Airwaves at RSA 2005 Conference, (press release), Feb. 17 th, 2005 [Online]. Available: http://airdefense.net/newsandpress/02_07_05.shtm. March 1, 2005 Security and privacy in public WLAN networks 37